How to Perform a Security Audit - Part 1

To ensure that your system's security is up to scratch, you first need to know what is involved in carrying out a security audit. In this first of two articles, Michelle Johnston takes a look at the business aspects involved.

Like this article? We recommend

Like this article? We recommend

"Internet security is a colossal problem which threatens not only
businesses but also critical national infrastructures which are dependent on
e-government." Paddy Ashdown, member of Parliament, United
Kingdom

Your manager has told you that, in light of recent events in the United
States, it is your job to ensure that your system's security is up to
scratch. Where do you start? Get in a security consultant? Do it yourself? Get a
member of your staff to do it? Before you can decide, it will be useful to know
what is involved in carrying out a security audit of your systems so that you
can decide which option is best to takefor example, whether you have the
skills required in house (and, if not, whether the security consultant you hire
does!). This article looks at the business aspects of a security audit. The
second article in this series looks at the technical aspects.

Requirements

The first thing a security audit needs to take into account is what your
system requirements are:

Are the systems required to be available 24 x 7? Many e-business systems
are required to have 99.99%plus availability because they are used by
users all over the world.

What are the access requirements? Is access to systems/data restricted
within the company to senior management? Are customers/business
partners/competitors allowed access to any part of the system (especially for
e-business systems)?

How many users use the system on average and at peak times?

How much data is stored?

Are there legal requirements to store data for a certain period of
time?

Are there legal requirements to protect data from intruders?

How sensitive is the data stored? How badly would it affect business if
competitors or other intruders had access to that data or destroyed the
data?

How sensitive is the system itself? How badly would it affect business
for an unauthorized user to gain access to different parts of the
system?